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RESOLUTION APPROVING THE CYBERSECURITY PLAN PURSUANT TO THE 
SPY 2018-19 BUDGET. 

WHEREAS the New York State Board of Elections (State Board) has been closely monitoring the 
ever-growing threat posed to information and elections systems by nation-states, terrorist 
organizations and independent criminal actors; and 

WHEREAS the State Board has been working extensively with federal, state, local and other 
important partners (the Elections Assistance Commission (EAC), the federal General Services 
Administration (GSA), the federal Department of Homeland Security (DHS), the Federal Bureau 
of Investigation (FBI), the Center for Internet Security (CIS), the Multi-State Information Sharing 
and Analysis Center (MS-ISAC), the Elections Infrastructure Information Sharing and Analysis 
Center (EI-ISAC), NYS Office for Information Technology Services (OITS), Governor's 
Cybersecurity Advisory Board (CSAB), the Belfer Center for Science and International Affairs at 
Harvard University, and the University at Albany's Center for Technology in Government (CTG)) 
to develop a comprehensive plan to ensure the security of New York State's elections 
infrastructure; and 

WHEREAS the SFY 2018-19 budget allocates $5 million dollars for "services and expenses 
related to securing election infrastructure from cyber-related threats Including, but not limited 
to the creation of an election support center, development of an elections cybersecurity 
support toolkit, and providing cyber risk vulnerability assessments and support for local board 
of elections{;)" and 

WHEREAS, per the SFY 2018-19 budget, expenditures of such funds shall be approved by a vote 
of the State Board of Elections Commissioners pursuant to subdivision 4 of section 3-100 of the 
election law; 

WHEREAS the State Board staff through their work with the federal, state, local, and other 
partners mentioned above, have drafted an allocation plan. 

WHEREAS the State Board staff has been leveraging existing Federal and State resources, such 
as attending the Belfer Center of Science and International Affairs Cybersecurity Tabletop 
Exercise 'Train the Trainer" program; and 




WHEREAS the State Board staff has partnered with the federal Department of Homeland 
Security both have an internal risk assessment conducted and to execute six regional 
cybersecurity table top exercises across New York State; and 

WHEREAS the State Board has been leveraging existing technological and security resources by 
partnering with the federal Department of Homeland Security, MS-ISAC and EI-ISAC; and 

WHEREAS, the federal Elections Administration Commission (EAC) has allocated New York State 
$19,483,647 (19.5 M) dollars subject to a State 5% match of cybersecurity related funds; 

WHEREAS, the $5 million dollar State cybersecurity funds will be leveraged to meet the federal 
5 % match requirement to secure federal Cybersecurity grant funding; 

NOW THEREFORE BE IT RESOLVED the state cybersecurity plan, attached hereto, is hereby 
approved and the State Board of Elections is authorized to implement such plan; 

NOW THEREFORE BE IT FURTHER RESOLVED that the State Board staff is authorized to expend 
up to $1.25 million in State cybersecurity funds in the implementation of the state 
cybersecurity plan; and 

NOW THEREFORE BE IT FURTHER RESOLVED that the State Board staff is authorized to expend 
federal HAVA cybersecurity funds at a limit to not exceed $5 million dollars in the 
implementation of the state cybersecurity plan. 


Approved May 3,2018 
VOTE 40 
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The New York State Board of Elections (NYSBOE) has been closely monitoring the ever-growing threat 
posed to information and elections systems by nation-states, terrorist organizations and independent 
criminal actors. 

Collaboration and Consultation 


NYSBOE has been working extensively with federal, state, local and other important partners (the 
Elections Assistance Commission (EAC), the federal General Services Administration (GSA), the federal 
Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the Center for 
Internet Security (CIS), the Multi-State Information Sharing and Analysis Center (MS-iSAC), the Elections 
Infrastructure Information Sharing and Analysis Center (EI-ISAC), NYS Office for Information Technology 
Services (OITS), Governor's Cybersecurity Advisory Board (CSAB), the Belfer Center for Science and 
International Affoirs at Harvard University, and the University at Albany's Center for Technology in 
Government (CTG)) to develop a comprehensive plan to ensure the security of New York State's 
elections Infrastructure. 

Funding (See Attachment Al 

State funds are coming from the SFY 2018-19 executive budget which allocates $5 million dollars^ for 
"services and expenses related to securing election infrastructure from cyber-related threats including, 
but not limited to the creation of an election support center, development of an elections cybersecurity 
support toolkit, and providing cyber risk vulnerability assessments and support for local board of 
elections." In addition, federal funding is available through the 2018 HAVA (Help America Vote Act) 
Election Security Grant allocates $19,483,647 dollars to the State of New York "to improve the 
administration of elections for Federal office, including to enhance election technology and make 
security improvements."^ In order to be eligible for newly allocated federal cybersecurity funds, the 
State must provide a 5% match. The $5M State funding would meet the match requirements. NYSBOE 
is confident that the current State HAVA plan would not require any update to accept additional federal 
funding. 

The Plan 


Our comprehensive allocation plan is to: 

Assess the risk to the State and County election systems; 
Remediate the vulnerabiiities; 

Monitor ongoing Operations; and 
Respond to incidents. 


* state Operations Budget Bill (S7500-A / A9SOO-A) 2018-19, page 130. 

^ 2018 Help America Vote Act Elections Security Grants Award Packet, April 17,2018, page 1. 
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Assess the Risk 

Comprehensive Risk Assessment for the New York State Board of Elections 

The New York State Board of Elections has entered Into a partnership with the federal Department of 
Homeland Security to have a free comprehensive Risk and Vulnerability Assessment conducted on the 
State's elections infrastructure. This one-on-one engagement will combine national level threat and 
vulnerability information with data collected and discovered through the assessment from which DHS 
will provide NYSBOE with specific risk analysis reports and strategic remediation recommendations 
prioritized by risk. 

Comprehensive Risk Assessment for all Countv Board of Elections 

NYSBOE will contract for professional services to conduct a comprehensive, uniform and verified risk 
assessment at every County Board of Elections (CBOE). NYSBOE has already conducted a CBOE elections 
risk survey to gain an understanding of the security posture of each county board. County Boards are 
responsible for procuring, inventorying, securing and training staff on elections Infrastructure and 
technologies. A uniform and verified third party risk assessment is critical in ascertaining a security 
baseline for our statewide elections infrastructure. 

Remediate Vulnerabilities 


NYSBOE Remediation 

NYSBOE has identified several areas of remediation to implement concurrently with the risk assessment. 
County Board Remediation 

CBOE Risk Assessment findings will identify any potential vulnerabilities in the New York State's 
elections system and infrastructure. Vulnerabilities will need immediate remediation to ensure the 
security of our systems and a secure architecture of CBOEs. The Secure Elections Center would receive, 
analyze and evaluate, and set priorities to address identified vulnerabilities. 

Monitor Operations 

Cvbersecuritv Regulation 

As part of monitoring ongoing operations, NYSBOE will develop, implement and evaluate a 
comprehensive cybersecurity regulation designed to set uniform regulatory standards. To do this, 
NYSBOE will procure information advisory services to assist in the development of cybersecurity 
regulations, setting standards for the state and county boards to monitor their ongoing cybersecurity. 
The regulation will be designed to promote the protection of election systems while not being overly 
prescriptive so that cybersecurity programs can match relevant risks and keep pace with technological 
advances. NYSBOE has started this process and has engaged and collaborated with relevant state 
partners. 
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Creation of a NYSBOE Secure Elections Center 

The NYSBOE Secure Elections Center is tasked with assisting all Counties with the formulation, 
implementation and evaluation of security measures, regulations and policies relative to elections 
Infrastructure. The Center is responsible for collecting, reviewing, consulting and evaluating all elections 
security policies and r^ulations and ensure continuity of election administration and operations. The 
Secure Elections Center would work closely with the existing executive management of the Board and 
report directly to the Chief Information Officer. The Secure Elections Center would require the addition 
of the following: one (1) NYSBOE Elections Chief Information Security Officer (CISO) to oversee the State 
Board's cybersecurity policy, patching, internal log review, incident management, security software 
management and to oversee the county liaison program; one (1) IT Specialist 3 to support security of 
NYSVOTER, the state voter registration list; two (2) Election Security Specialists to provide assistance and 
coordinate the delivery of services of the Center to the County Boards, one (1) Elections Security Clerk to 
manage the Secure Elections Center help desk function and assist with routine questions, coordination, 
monitoring and logging of activity; one (1) Website Secure Access Specialist to manage the Board's 
website and ensure the accessibility of documents; one (1) Senior Assistant for Elections Continuity to 
focus on risk assessment and mitigation strategies as part of the evaluation of election systems 
technology; and two (2) Elections Security Specialists to act as liaisons and coordinate with CBOEs 
relative to policy implementation, improved audits of election results, risk analysis coordination and 
connection support. 

Network Monitoring at CBOEs 

Federal, State and other stakeholders (EAC, CSAB and EI/MS>ISAC) recommend that network monitoring 
be immediately implemented at each County Board of Elections, if not already in place. Monitoring, 
Distributed Denial of Service (DDOS) protection and site scanning will provide a baseline of security for 
elections systems and infrastructure. County Board of Elections infrastructure may be networked with 
County infrastructure which increases the scope and cost of network monitoring. The State Board plans 
to provide interim monitoring services to CBOEs through December 2020. 

County Cvbersecuritv Tralnine and Toolkit 

The NYSBOE will develop a series of training tools for CBOEs, based on recognized industry standards, in 
relation to cyber hygiene best practices, access management protocols and recommendations for 
incident handling. Comprehensive cybersecurity training will be provided to all CBOEs on a continuous 
basis. This is required to ensure a consistent level of cyber hygiene and combat vulnerabilities raised by 
staff turnover as well as to stay current with the latest trends and developments in cybersecurity. 

Respond to Incidents 

NYSBOE will establish the Secure Elections Center to increase the cybersecurity of the State and County 
Boards of Elections. The Center's focus on training and preparedness will prevent some incidents from 
occurring. The Center will also develop a comprehensive incident response plan for the State and 
County Boards to triage, coordinate and respond to cyber incidents. The incident response plan 
requires: 
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• personnel to staff and respond to cyber incidents; 

• technology to facilitate the intake, coordination and tracking response to cyber incidents; 

• the development of a comprehensive cyber incident plan which includes the review and 
updating of State and County Board of Elections current emergency security and response plans; 
and 

• procedures for incident identification, containment, eradication, recovery and post-response 
assessment will be fully developed. 

NYSBOE will conduct a series of regional tabletop exercises in conjunction with the US Department of 
Homeland Security, NY State Police, the FBI and County Boards of Elections to discuss hypothetical cyber 
events that may impact a Board's ability to administer an election. These exercises are used to identify 
additional mitigation strategies, preparedness needs and enhance collaboration between stakeholders. 



2018 HAVA ELECTION SECURITY GRANT 

Budget Information 

CFDA tt 90.404 Non-Construction Program 

Name of Organization: 

Budget Period Start: 

Budget Period End: 

New York State Boar 

3/23/2018 

d of Elections 

SECTION A- BUDGETSUMIV 

FEDERAL & NON-I 

(Consolidated Budget for total project term- 
FEDERAL FUNDS (Match) up to 5 years as defined by grantee) 

PROGRAM CATEGORIES 

BUDGET CATEGORIES 

(a) Voting 
Equipment 

(b) Election 
Auditing 

(c) Voter 
Registration 
Systems 

(d) Cyber Security 

(e) Communications 

(f) Other 

(g) Other 

TOTALS 

% Fed Total 

1. PERSONNEL (including fringe) 




$ 5,000,000.00 




$ 5,000,000.00 

26% 

2. EQUIPMENT 




$ 100,000.00 




$ 100,000.00 

1% 

3. SUBGRANTS- to local voting jurisdictions 








$ 

0% 

4. TRAINING 




$ 200,000.00 




$ 200,000.00 

1% 

5. All OTHER COSTS 




$ 14,183,647.00 




$ 14,183,647.00 

73% 

6. TOTAL DIRECT COSTS (1-6) 

$ 

$ 

$ 

$ 19,483,647.00 

$ 

$ 

$ 

$ 19,483,647.00 


7. INDIRECT COSTS (if applied) 








$ 

0% 

8. Total Federal Budget 

$ 

$ 

$ 

$ 19,483,647.00 

$ 

$ 

$ 

$ 19,483,647.00 


11. Non-Federal Match 




$ 974,182.35 




$ 974,182.35 


12. Total Program Budget 

$ 

$ 

$ 

$ 20,457,829.35 

$ 

$ 

$ 

$ 20,457,829.35 


13. Percentage By Category 

0% 

0% 

0% 

100% 

0% 

0% 

0% 






Proposed State Match 

5.0% 




A. Do you have an Indirect Cost Rate Agreement approved by the Federal government or 
some other non-federal entity? 

If yes, please provide the following information: 

B. Period Covered by the Indirect Cost Rate Agreement (mm/dd/yyyy-mm/dd/yyy): 




C. Approving Federal agency: 

D. If other than Federal agency, please specify: 

E. The Indirect Cost Rate is: 






























































